From 6226ce2828de80955ff1d4ef6c0f3d63bd1d3773 Mon Sep 17 00:00:00 2001 From: Gandalf Date: Tue, 23 Dec 2025 00:08:20 +0100 Subject: [PATCH] fix(security): Validate username format in log_account endpoint Add isSafeForLogging validation to prevent log injection attacks. Only allows lowercase letters, numbers, dots, and hyphens (max 16 chars). This blocks control characters like newlines that could be used to forge fake log entries. --- packages/middleware/lib/log-account-handler.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/packages/middleware/lib/log-account-handler.ts b/packages/middleware/lib/log-account-handler.ts index eef113bbb..bcdf2490e 100644 --- a/packages/middleware/lib/log-account-handler.ts +++ b/packages/middleware/lib/log-account-handler.ts @@ -11,6 +11,16 @@ import { import { getClientIp } from './common-utils'; import { checkCsrfHeader } from '@smart-signer/lib/csrf-protection'; +/** + * Validates that input is safe to log (prevents log injection). + * Only allows lowercase letters, numbers, dots, and hyphens. + */ +function isSafeForLogging(input: string): boolean { + if (typeof input !== 'string') return false; + if (input.length === 0 || input.length > 16) return false; + return /^[a-z0-9.-]+$/.test(input); +} + export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse) { if (req.method !== 'POST') { return res.status(405).json({ error: 'Method not allowed' }); @@ -51,6 +61,11 @@ export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse return; } + // Validate username format to prevent log injection + if (!isSafeForLogging(username)) { + return res.status(400).json({ error: 'Invalid username format' }); + } + // Parse authProof transaction to get loginChallenge and loginType const parsedData = await parseAuthProofTransaction(authProof); if (!parsedData) { -- GitLab